en-usFri, 22 Feb 2019 15:21:31 +0000
This policy describes the organization's processes for requesting, obtaining, using, and terminating access to organization networks, systems, and data for the purpose of enabling staff members to regularly work remotely on a formal basis.

From the policy:

Summary
Today’s technology allows companies to offer employees the opportunity to work from home, on the road, or from just about anywhere besides the corporate office. This can benefit both the employee and the company in various ways. But as more and more employees ask to telecommute, companies must have a viable telecommuting policy.

Objective
The purpose of this policy is to establish guidelines for employees who want to participate in the organization’s telecommuting program.

Compensation and work hours
The employee’s compensation, benefits, work status, and work responsibilities will not change due to participation in the telecommuting program. The amount of time the employee is expected to work per day or pay period will not change as a result of participation in the program.

Eligibility
Employees will be selected based on the suitability of their jobs, an evaluation of the likelihood of their being successful telecommuters, and the approval of their supervisor. Each department will make its own telecommuting decisions and be responsible for measuring the success of the results. Before telecommuting, employees must read and sign this Telecommuting Policy. Due to various job responsibilities, not all employees will be eligible to telecommute. The IT department can’t support any telecommuter who has not returned an Acknowledgement of Telecommuting Policy form signed by both the employee and the employee’s manager.

Equipment
The company may provide tools and equipment for employees to use in fulfilling their job responsibilities from a remote location. The equipment may include computer hardware, smartphones, tablets, routers, modems, software programs, phone lines, email, voicemail, connectivity to host applications, VPN support, and other applicable resources as deemed necessary. The use of these resources, when provided by the company for use at the remote work location, is limited to authorized persons for purposes relating to company business only.

Depending on the nature of the job, telecommuting employees may instead use their own equipment. Employees are responsible for the installation, repair, and maintenance of all personal equipment used for telecommuting. They must also understand and agree that the company may access for job-related purposes any personal equipment used while telecommuting.
]]>Fri, 08 Feb 2019 00:00:00 +0000From the policy:

Resource and data recovery guidelines
There are four possible scenarios involving the need to recover resources and data:

Loss: A device containing confidential data is misplaced and irretrievable.

Failure: A device or service becomes unavailable due to damage or age.

Compromise: A malicious individual has stolen or accessed company data they have no legitimate reason to possess.

Termination of service: A contract with an outside organization that provides or facilitates access to data is ending, and company information should be removed from their systems.

Backups are essential
Backups are a key element regardless of the scenario and are therefore the foundation of this policy. All company data must be backed up on at least a daily basis, whether it resides in-house, outside the organization, or on servers, workstations, or mobile devices. There should never be a single copy of critical data; multiple copies should exist in the form of backups or synchronization to a remote disaster recovery (DR) site. Where possible, a secure offsite storage service, such as Iron Mountain, should be used. This will protect data against a site failure, such as a power outage or physical damage.

IT staff will determine how and where backups take place; they may occur locally or using cloud-based services such as Dropbox or Sugarsync, so long as standards for the protection of sensitive information are met (see the next section) and any regulatory safeguards that may apply to the organization are adhered to.
]]>Wed, 23 Jan 2019 00:00:00 +0000From the policy:

Policy guidelines
Severe weather conditions or other unexpected events that infringe upon or prevent normal business operations or place personnel in jeopardy will be the basis of decisions involving the closing of one or more company locations. Senior management will be responsible for determining whether to close the facility (or facilities) during the following situations:

Chemical spills, gas leaks, or downed power lines

Dangerous activities (terrorist attacks, shootings, etc.)

Earthquake

Fire

Flooding

Hurricane

Power outage

Snow storm or ice storm

Tornado

Any other threat or situation not listed that may render the company incapable of normal operations or that places staff at risk

Where possible, advance notice should be given to employees regarding the status of the company when it appears likely that one of these conditions will justify making the decision to close, such as when meteorologists predict a significant storm is en route to the area or the governor has asked all residents of the state to remain off the streets.

If one of the above conditions occurs nearby but not in direct proximity to the company, senior management will decide whether the company remains open. If the decision is made to continue normal business operations, note that employees living in the affected areas (or who must commute through these regions) may be affected. Employees should always be encouraged to do what makes them feel safest in these scenarios, whether remaining at home or at work until the situation has resolved, but their decisions could affect their pay.]]>Mon, 07 Jan 2019 00:00:00 +0000From the policy:

General regulations
All virtual machines and applications are subject to the same policies as non-virtualized systems. Software patching, remote access, security measures including but not limited to installing workstation security software, disabling shared or guest accounts, user account controls, monitoring and logging, disk and network encryption, backups, and other relevant policies must be followed for virtualized systems.

Separate policies may exist for legacy platforms or applications, including restricting network access.

Unless specifically backed up or snapshotted, no guarantee is made for data recovery in the event of user error, hardware failure, or other disaster that renders the VM or host platform inaccessible.

User responsibilities
Users requesting new virtualized resources must convey the nature of their needs to the IT department at least one week in advance. Requests should provide appropriate detail in terms of technical and business requirements prompting the request. Request details must include a schedule for performing backups, if backups are required for your use case.

The ticketing system in place for physical systems will be used for virtualized systems.

When a virtualized system is no longer required, users should inform the IT department so these systems can be decommissioned to free up resources.

VMs and/or applications associated with specific employees (e.g., used by only these individuals) will be shut down when the employee leaves. It is the responsibility of managers to notify the IT department with approval or otherwise request data or applications preserved, if needed.
]]>Wed, 12 Dec 2018 00:00:00 +0000From the policy:

Requirements for access

All IT staff should be subjected to personnel screening as a requirement for hire.

IT staff should be provided dedicated accounts tied to their identity rather than allowed to use generic system accounts (administrator/root, for instance).

No staff members, whether inside or outside of IT, should ever share their account information or passwords.

Administrative rights to systems/access to data should be granted to IT staff on a “least privilege” basis so they can perform the tasks needed to do their jobs but nothing further.

All administrative rights to systems/access to data must be documented and kept exclusively by at least two senior IT staff, such as the IT director and the VP of information technology.

Any elevated privileges granted to IT staff must be documented and removed as soon as the access is no longer required.

IT staff must access systems and data only as needed for verifiable work purposes. It is a violation of this policy to engage in any exceptions to this principle, such as browsing confidential financial data, reading employee emails, reviewing termination documents, or any other misuse of access not involving job responsibilities.

A “separation of duty” concept must apply to IT staff so that no individual is solely responsible for critical/secure functions nor has sole access to any system or data.

]]>Fri, 05 Oct 2018 00:00:00 +0000From the guidelines:

Machine automation is widely used across diverse industry sectors because it is cost-effective and risk reducing. Its applications include but are not limited to CNC machines in manufacturing and fabrication, industrial robots that pick, pack, load, and transport goods in warehouses, unmanned drones that deliver shipments to customers, automated machines that aid in the life sciences and in pharmaceutical development, and telesurgery. Machine automation performs vital and sometimes lifesaving functions, but it can’t succeed without rigorous policy guidelines that ensure safe, compliant, uninterrupted, and proper use.

Since machine automation is a combination of hardware and software that is ultimately connected to either internal or external communications networks, keeping the physical machine and its operating software updated and in compliance and ensuring that the automation is functioning in an environment that is protected from hacking, malware, and/or other network interruptions is paramount. So too is ensuring that only staff with proper security authorization and training are operating the equipment. Insurance and legal liability issues must also be taken into account when machine automation policies are developed.

The spectrum of machine automation is vast. Companies that manufacture plastic enclosures by using a CNC machine to cut patterns will develop machine automation policies that are substantially different from what an operator of a telesurgery robot will require. The policies below are broken down into general categories of consideration that should be taken into account as part of your due diligence during the formation of a machine automation policy.

Depending on what your business application is, the key points within each topic will be of more or less importance to you. The recommended best practice use of this list is to focus on those guidelines that are directly relevant to your business model as you formulate a machine automation policy that is customized to your company’s circumstances—but it’s a good idea to review the other topics that are listed to ensure that there isn’t a relevant area you might have overlooked.]]>Fri, 07 Sep 2018 00:00:00 +0000From the policy:

When considering training, ensure that there is an identifiable link between the selected training option and the employee’s career development plan. With that link established, identify which delivery method will best meet the employee’s career development needs, within the context of their current job requirements:

Internal training provided by the company and delivered onsite

External training provided by a vendor or university, usually from one day to several weeks in duration

Certification or degree programs

Self-study

A combination of the above can be used for ongoing employee development and should be considered part of an integrated career development plan.

Identifying appropriate training
All training should support the employee’s overall career development path and be relevant to their current roles and responsibilities or prepare them to advance within their career. During each annual review period, the employee should discuss career development needs with their manager and how internal and external training can address these needs. A well-designed development plan will support and streamline the process for approving internal or external training.
]]>Thu, 26 Jul 2018 00:00:00 +0000From the policy:

Streaming media permitted for business purposes is defined as “content deemed necessary to fulfill employee job duties and responsibilities.” This access will be allowed at all times.

Reasonable recreational access to streaming media is permitted so long as it does not interfere with employee productivity (as defined by employee managers), distract or impede the productivity of others, or consume an inordinate amount of system or network resources. However, the organization maintains the right at any time to block access to streaming media/programs—on a per-individual or companywide basis—that do not involve legitimate business purposes.

Employees may use personal devices to access streaming media on company networks, but all elements of this policy will apply in such scenarios.

Streaming media should never be accessed on company servers or critical workstations; it must be viewed or played on employee workstations or devices.

Employees should only download streaming media files on company systems/networks that relate to specific business-related purposes.

Where possible, employees should use headphones when accessing streaming audio to avoid creating undue noise burdens upon coworkers.

Access to offensive or inappropriate streaming media content (defined herein as “any published or broadcast content that is likely to be upsetting, insulting, or objectionable to some or most people”) is prohibited on all company systems/networks at all times.]]>Thu, 26 Jul 2018 00:00:00 +0000From the policy:

When end users utilize systems—whether workstations, laptops, or mobile devices—to access, work on, and store company data, the loss or failure of those devices can put data at risk. Productivity, operations, and company reputation can be placed in jeopardy as well.

To protect itself, its employees, and its business activities, every organization should make regular backups of all end-user data stored on its systems, whether company-provided or employee-owned.

IT STAFF RESPONSIBILITIES
IT staff will perform the following tasks:

Designate appropriate network-based home or local directories (to be referred to as “protected directories” for users to store data on workstations that will be backed up, either through direct means via backup software, synchronization tools, or cloud storage.

Ensure sufficient allocation of space and application of appropriate permissions on these protected directories.

Implement and maintain a centralized backup system or official configuration that covers protected directories and devices. It should also include all other aspects of end-user data, such as messaging systems, databases, and instant messaging information. This backup system may be local (in-house, such as a data center) or external (such as in cloud storage provided by Box or Dropbox).

Establish a mobile device data backup method, such as using cloud storage like Google Drive or iCloud. See Tech Pro Research’s Cloud data storage policy for further information pertaining to this and other cloud storage-related endeavors. If cloud storage is prohibited by regulation or policy, the IT department will train users on how to download data from their mobile devices to protected directories on a periodic basis.

Ensure the backup of any data required by law and data required to recover from any type of disaster.
]]>Fri, 22 Jun 2018 00:00:00 +0000From the policy:

Staying in compliance with software licenses can be quite difficult. End users have a reputation for being cavalier with copying software, while certain software vendors have a tendency to change license terms with minimal advance notice.

In the interest of avoiding a painful (and possibly expensive) audit process, having a standardized and well-documented practice for handling software license compliance is vital. The process outlined in this policy will guide the office of the CIO and other stakeholders in ensuring that software is not installed on client devices in excess of the terms of the software license, and that hardware and software changes are documented so that the organization remains in compliance.

Purpose
This policy provides guidelines for making sure that the software on computers and other devices owned by the organization is used within the terms of the license provided by the software vendor.

Scope
All full-time and part-time employees, contract workers, consultants, and temporary workers are subject to this policy. It applies to any device (whether employee-owned, company-owned, or company-leased) used for company purposes, including but not limited to desktops, laptops, servers, mobile devices, tablets, printers, scanners, copiers, fax machines, routers, and managed switches.
]]>Mon, 18 Jun 2018 00:00:00 +0000From the policy:

Summary
The Internet of Things (or IoT) refers to network- or internet-connected devices, such as appliances, thermostats, monitors, sensors, and portable items that can measure, store, and transmit information.

IoT devices may be business oriented (e.g., RFID tags to track inventory) consumer based (such as Fitbits), or a hybrid of both (like the Raspberry Pi, which offers an array of uses across the two sectors). The devices may be company-provided or employee-owned, such as through a BYOD policy.

IoT devices continue making inroads in the business world, so organizations should have a defined IoT structure in place to ensure that data and operations are properly secured.

IoT device procurement
In general, IoT devices that are to be used for company operations should be purchased and installed by organizational personnel.

It is allowable for employee-owned IoT devices to be used for business purposes, but they must be used in accordance with the organization’s Bring Your Own Device (BYOD) policy.

The use of all IoT devices, whether company-provided or employee-owned, should be requested via the IoT Device Usage Request Form (see Appendix A), which must be submitted to the IT department for approval. Only manager-level employees and above may request the usage and/or procurement of IoT devices.

The IT department is responsible for identifying compatible platforms, purchasing equipment, and supporting organization-provided and authorized IoT devices. The IT department is not responsible for allocating funds to pay for the devices, accessories, and/or service fees (if applicable). Requesting managers must allocate funds from their department’s operating budget (where applicable) to cover costs arising from the device request.
]]>Wed, 16 May 2018 00:00:00 +0000From the policy:

The list of advantages to cloud computing includes lowered operational costs, greater technological flexibility, and the ability to rapidly implement new systems or services. Gains in business continuity are an especially noteworthy attraction to cloud services, which operate via remote systems that remain running in the event of a local disaster, such as a hurricane or power outage.

However, cloud computing has also opened up new opportunities for impact by security threats or lost data. Storing files outside the organization can pose a greater risk for data breaches due to mishandled files and credentials or failure to follow security best-practice controls. Cloud services might shut down or employ individuals who pry into customer data and extract company secrets. Files kept in the cloud might not be covered by any service agreement relating to the restoration of lost or corrupt data. Files synchronized to unprotected personal devices might then become compromised if these devices are lost or stolen. Finally, many cloud providers may utilize facilities in countries or territories that may utilize different standards or regulations or that might subject company data to international or export restrictions.

In short, a significant set of concerns arises when it comes to the risk of using cloud services. These risks are compounded further by the often decentralized role IT plays in cloud computing, which can easily be set up by users with just a few mouse clicks and no money down. It could take bare moments for critical or sensitive data to be sent offsite, either deliberately or by mistake.

Therefore, to protect the organization and its employees it is critical to establish a clear and firm policy governing how company data is to be kept (or not) in the cloud.
]]>Wed, 16 May 2018 00:00:00 +0000From the plan:

Objective
This Disaster Recovery and Business Continuity plan provides a roadmap that organizations can follow to implement sound disaster recovery and business continuity processes.

Audience
The plan is aimed at the IT department. The organization’s executive staff must cooperate and assist coordinating and supporting the plan’s design, implementation, and maintenance if the plan is to prove effective.

Purpose
This plan strives to achieve the following goals:

Ensure that the organization’s executives understand the need for a written disaster recovery and business continuity plan

Determine how the organization will back up and protect specified data from loss

Determine how and where the organization will recover operations should a crisis occur

Define which individuals, departments, or teams are responsible for which disaster planning and execution tasks

Disaster plan importance
Before an organization can build an effective disaster recovery and business continuity plan, its executives must agree on the plan’s importance, the systems and data to be protected, recovery strategies, and the staff and departments responsible for fulfilling each of the plan’s elements.

Statistics confirm that organizations that suffer data loss are exponentially more likely to fail and file bankruptcy. Statistics also show that the longer an organization’s business operations are interrupted, the sooner bankruptcy may occur.

Thus, it’s critical that organizations implement sound disaster plans that include provisions for business continuity in the event of a catastrophe. They must develop consensus among C-level executives and directors and within the technology department responsible for implementing and maintaining disaster recovery efforts; otherwise, a disaster plan becomes a futile exercise in paperwork only.
]]>Sun, 15 Apr 2018 00:00:00 +0000From the guidelines:

Software automation policies are system-defined, or administrator-defined, sets of rules that govern the execution of automated actions. Examples of automated actions include running a report using the parameters that were obtained from the policy, sending an alert to the administrator, and executing a command or running a task on managed computers. The tasks that IT automates in IT infrastructure might involve internal IT resource management tasks such as automating the determination of where data is stored in a data storage hierarchy, or it might involve automating certain businesses processes, such as using automated software to score a loan for credit-worthiness during the loan underwriting process.

In all processes that involve automation software, a complex set of both business decision rules and technical settings and rules must be orchestrated in the software to meet a specific business or IT objective. Most commercial computer vendors understand this. That’s why most vendors now sell software that comes with recommended presets for automation, but that also allow you to override those presets with your own settings to tailor the software to your specific business and IT needs.

During the course of software automation for business and IT processes, the specific automation process should be thoroughly tested to ensure that it works correctly and consistently whenever it is called into action; that it meets the business or IT needs it was designed for; that it conforms to corporate governance, compliance, and security standards; and that it has the requisite logging and reporting mechanisms that track all its activities.

Examples of processes that software automation policies are designed for include:

Automated credit checks and approvals for loans

Quality of service (QoS) checks for network-critical operations like telesurgery

Automated data management and storage

Security monitoring and alert systems

]]>Sun, 15 Apr 2018 00:00:00 +0000From the policy:

Employee passwords are the first line of defense in securing the organization from inappropriate or malicious access to data and services. In many cases, compromised user accounts have been turned into stepping stones for administrator-level penetration by unauthorized individuals, resulting in catastrophic, well-publicized data breaches.

Regardless of whether accounts are used for testing, workstation setups, day-to-day use, or superuser/root privileges, establishing and maintaining a strong password management policy is the foundation of a secure organization.

Purpose
This policy provides guidelines for the consistent and secure management of passwords for employees and system and service accounts. It includes mandates on how passwords should be generated, used, stored, and changed, as well as instructions for handling password compromises.

General requirements
Blank or easily guessed passwords (such as “password”) are never permitted for any account, no matter how trivial. Passwords should not contain dictionary words such as “kitchen” or “automotive.”

Passwords must be complex, containing at least eight characters and a mixture of lowercase, uppercase, numbers, and punctuation characters. For instance, “B3llt0Wer!” should be used in place of “Belltower,” as it is considerably more secure.

Passwords should never contain security-sensitive information, such as an employee’s social security number or date of birth. They also should not include public information related to an employee’s personal life, such as the names of their children, hobbies, favorite sports team, etc.

Use different passwords on different systems. For example, a Windows account password should not be the same as a QuickBooks password. It is especially critical that external accounts (such as on third-party websites such as Salesforce.com) do not have the same passwords as internal accounts, to protect from data breaches against these external targets.

Passwords used on company systems should never correspond with employee personal account passwords (e.g., Windows account and Gmail account passwords must be separate).

Users must not write passwords down or send passwords through email/instant messaging services.

The IT department will not ask users for their passwords but will instead set temporary passwords for employees who can’t log into their accounts.

Employees should consider using a password management program like LastPass, KeePass, or Password Safe to store their passwords in a central encrypted database secured by a master password (which is subject to the same guidelines described here). If such a program is used, it should be configured to auto-lock when the system is idle and to clear any passwords in the clipboard when not in use.]]>Mon, 26 Mar 2018 00:00:00 +0000